Inline npm dependency update hints for package.json in Zed.
Inspired by the VS Code extension package-json-upgrade.
Features:
- Inlay hint after each dependency, listing every distinct upgrade tier available — e.g.
🟢 17.0.2 · 🟡 17.9.5 · 🔴 19.5.7for^17.0.0when patch / minor / major targets all differ. Tiers that resolve to the same version are de-duplicated, so a dep with only a major bump available shows just🔴 X.Y.Z. A security badge is appended when the pinned version has known advisories —🚨 N vulnsfor any critical,‼ Nfor any high,⚠ Nfor moderate-only,ℹ Nfor low-only. Hover over the version string for the per-advisory list (id, summary, fix version). - Diagnostics for genuine problems only:
Error(red squiggle) — invalid semver in the version string, or critical/high security advisory affecting the pinned version.Warning(yellow squiggle) — package not found in the npm registry, or moderate security advisory.Information— low security advisory.- Outdated dependencies do not emit a diagnostic; the colored inlay hint already conveys the upgrade tier, and reserving squiggles for real errors keeps the file readable when many deps happen to be behind latest.
- Completions inside the version string: typing
^,~,., or"lists the available versions for that package, withlatesttagged. - Hover on a version string shows the package description, latest version, license, homepage, changelog link, and a per-advisory list when CVEs apply to the pinned version.
- Quick-fix code actions (Zed default
cmd-./ctrl-.):- Do patch / minor / major upgrade to
<latest> - Open homepage
- Open changelog
- Update to first non-vulnerable version (when audit advisories apply to the pinned version)
- Update all dependencies (patch / minor / major) (document-wide quick-fix; pick the safety tier you want)
- Do patch / minor / major upgrade to
- Parallel registry prefetch on open/change with a per-process concurrency cap (8 in-flight requests). Subsequent code actions, hovers, and completions are served from a 1-hour in-memory cache.
| Piece | What it does |
|---|---|
extension.toml + src/lib.rs (WASM) |
Zed extension. Downloads the LSP binary from this repo's GitHub releases on first use, then registers it as a language server for JSON / JSONC. |
lsp/ (native binary) |
A tower-lsp server that parses package.json, queries the npm registry (https://registry.npmjs.org), caches results, and emits diagnostics, inlay hints and code actions. |
The LSP attaches alongside Zed's built-in json-language-server. Both run, results merged.
zed: extensions → search Package.json Upgrade → install.
In Zed: cmd-shift-p → zed: install dev extension → pick this folder. Zed compiles the WASM and the extension downloads the matching LSP binary from the latest GitHub release on first use.
To iterate on the LSP without round-tripping through a release, build and run it locally:
cargo build --release --manifest-path lsp/Cargo.toml
# point Zed at the local binary via ~/.config/zed/settings.json:
# "lsp": { "package-json-upgrade": { "binary": { "path": "/abs/path/to/target/release/package-json-upgrade-lsp" } } }The colored markers (🔴 25.6.0, ⚠ 1h, …) are LSP inlay hints. Zed defaults inlay hints to off because globally enabling them lights up every TypeScript / Rust / Python type hint too — which most people don't want. Enable them only for JSON in your settings.json:
This scopes inlay hints to JSON / JSONC buffers. Zed's built-in json-language-server does not emit inlay hints, so in practice the only extension this affects is package-json-upgrade-lsp.
The diagnostics, hovers, and code actions work without any inlay-hint config — they're standard LSP features.
In Zed settings.json:
{
"lsp": {
"package-json-upgrade": {
"settings": {
"ignorePatterns": ["^@types/.+$"],
"ignoreVersions": {
"@types/node": ">18"
},
"checkSections": ["dependencies", "devDependencies", "peerDependencies"],
"showUpdates": true,
"audit": true
}
}
}
}| Key | Type | Default | Effect |
|---|---|---|---|
ignorePatterns |
string[] (regex) |
[] |
Hide updates for matching package names. |
ignoreVersions |
{ [name]: semverRange } |
{} |
Hide latest versions matching the range. Useful to pin a major. |
checkSections |
string[] |
["dependencies", "devDependencies"] |
Which top-level sections to scan. |
showUpdates |
boolean |
true |
Disable to silence the extension globally. |
audit |
boolean |
true |
Query OSV.dev for security advisories on the pinned version of each dependency. Set to false to disable audit network calls and CVE markers entirely. |
- Tag the repo (
git tag v0.0.1 && git push --tags). The release workflow builds and uploads LSP binaries for macOS (arm64+x64), Linux (arm64+x64) and Windows (x64). - Bump
versioninextension.tomlto match the tag. - Fork
zed-industries/extensions. git submodule add https://github.com/Arthurmtro/zed-package-json-upgrade.git extensions/package-json-upgrade-lsp- Add to
extensions.toml:[package-json-upgrade-lsp] submodule = "extensions/package-json-upgrade-lsp" version = "0.0.1"
pnpm sort-extensions, commit, open PR.
For subsequent updates: git submodule update --remote extensions/package-json-upgrade-lsp then bump version in extensions.toml.
Apache-2.0
{ // leave this off to keep TS/Rust/Python type hints out of the way "inlay_hints": { "enabled": false }, "languages": { "JSON": { "inlay_hints": { "enabled": true } }, "JSONC": { "inlay_hints": { "enabled": true } } } }